[
https://issues.apache.org/jira/browse/CASSANDRA-16669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17360535#comment-17360535
]
Ekaterina Dimitrova commented on CASSANDRA-16669:
-------------------------------------------------
Hi all,
First of all, great job.
Feedback/questions:
* I guess you opted in for the centralized solution and maybe the question is
whether we want the users to be given the chance not to obfuscate passwords if
they want to when they use FQL? Is that correct?
* The ticket is still work in progress not in review but I made a review on
the latest pull request as I see everyone was working on it lately and I had
the impression that is what was decided?
* I think we might want to add tests for the corner cases identified in the
previous comment by Stefan. (Great catch!) Also, I found one more weird corner
case which Stefan's patch took care of. If a user does an invalid batch request
including DCL - that would be logged as below with the password still being
_password_a_:
{code:java}
INFO [Native-Transport-Requests-1] 2021-06-09 23:38:05,965
FileAuditLogger.java:51 -
user:anonymous|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:63360|timestamp:1623296285965|type:REQUEST_FAILURE|category:ERROR|operation:BEGIN
BATCH CREATE ROLE alice WITH PASSWORD = 'password_a' AND LOGIN = true; CREATE
ROLE new_role; APPLY BATCH;; line 1:12 mismatched input 'CREATE' expecting
K_APPLY (BEGIN BATCH [CREATE]...){code}
I know it is highly unlikely to happen but It was there and Stefan's latest
patch takes care of it. We might want to add a test for that edge case too
* I didn't see [this question
|https://github.com/apache/cassandra/pull/1043/commits/07990ebaba79e6d9553de14733e28d89caa5e171#diff-df97ca69d481fde559e155c724ca60967a1e57222ea845d8ee8299d7b014df46R86]
being resolved
* Do we need an interface? What other implementations are planned?
* I believe the rest is nits on the PR itself.
I will make another pass tomorrow morning again
> Password obfuscation for DCL audit log statements
> -------------------------------------------------
>
> Key: CASSANDRA-16669
> URL: https://issues.apache.org/jira/browse/CASSANDRA-16669
> Project: Cassandra
> Issue Type: Bug
> Components: Tool/auditlogging
> Reporter: Vinay Chella
> Assignee: Sumanth Pasupuleti
> Priority: Normal
> Labels: audit, security
> Fix For: 4.0-rc, 4.0.x, 4.x
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> The goal of this JIRA is to obfuscate passwords or any sensitive information
> from DCL audit log statements.
> Currently, (Cassandra version 4.0-rc1) logs query statements for any DCL
> ([ROLE|https://cassandra.apache.org/doc/latest/cql/security.html#database-roles]
> and [USER|https://cassandra.apache.org/doc/latest/cql/security.html#users] )
> queries with passwords in plaintext format in audit log files.
> The current workaround to avoid plain text passwords from being logged in
> audit log files is either by
> [excluding|https://cassandra.apache.org/doc/latest/operating/audit_logging.html#options]
> DCL statements from auditing or by excluding the user who is creating these
> roles from auditing.
> It would be ideal for Cassandra to provide an option or default to obfuscate
> passwords or any sensitive information from DCL audit log statements.
> Sample audit logs with DCL queries
> {code:sh}
> Type: audit
> LogMessage:
> user:cassandra|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:51908|timestamp:1620190499676|type:CREATE_ROLE|category:DCL|operation:CREATE
> ROLE new_role;
> Type: audit
> LogMessage:
> user:cassandra|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:51908|timestamp:1620190505313|type:CREATE_ROLE|category:DCL|operation:CREATE
> ROLE alice WITH PASSWORD = 'password_a' AND LOGIN = true;
> Type: audit
> LogMessage:
> user:cassandra|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:51908|timestamp:1620190519521|type:REQUEST_FAILURE|category:ERROR|operation:ALTER
> ROLE bob WITH PASSWORD = 'PASSWORD_B' AND SUPERUSER = false;; bob doesn't
> exist
> Type: audit
> LogMessage:
> user:cassandra|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:51908|timestamp:1620190525376|type:CREATE_ROLE|category:DCL|operation:CREATE
> ROLE bob WITH PASSWORD = 'password_b' AND LOGIN = true AND SUPERUSER = true;
> Type: audit
> LogMessage:
> user:cassandra|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:51908|timestamp:1620190532462|type:ALTER_ROLE|category:DCL|operation:ALTER
> ROLE bob WITH PASSWORD = 'PASSWORD_B' AND SUPERUSER = false;
> {code}
> It is also ideal to document this workaround or assumption in Cassandra audit
> log documentation until we close this JIRA
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
